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Physical disc mark trigger in encrypted content 



Introduction 

Films released on DVD are protected from being copied by the so-called CSS 
encryption method, well known to a person skilled in the art. In the fixture, additional 
protec ion methods such as digital watermarking will be added. With the imminent 
5 introduction of recordable and rewritable DVD formats into the consumer-market, there is 
also tfce need of so called "play control" which ensures that certain copy protection rules are 
checkod. One of these rules is the following: CSS encrypted content on a recordable disc 
shoulc. be refused. This rule has been specified in the CSS-license, signed by all DVD- 
manuiacturers, but has not been substantiated in its technical realisation. In other words, 
1 0 although all DVD-player manufacturers should obey this rule per the CSS~license, there is no 
clear ivay to implement this. The invention disclosed here presents such a realisation. 

In order to implement this rule, recordable discs have to be distinguished from 
pre-recorded discs, e.g. DVD-ROM discs. There are two ways of approaching this problem: 

15 • Recognise all recordable formats (present and future) (e.g. pre-groove detection). This 
method is technically simple but seriously flawed from a security point of view. There is 
an incentive for recordable disc manufacturers to continually attempting to modify their 
recordable media in such a way that players (not recorders) recognise them as ROM 
discs, so as to legally circumvent the CSS-rule. New players would have to recognise 

20 those new discs as well, i.e. an arms race. 

• Introduce a physical disc mark for DVD-ROM discs which cannot be reproduced by 
consumers on recordable discs e.g. ROM-wobble. This wobble is a (small) radial 
variation of the spiral made up by pits and lands and recorded in phase. This wobble can 
bv, detected in a player from the DPD-radial servo-tracking signal, present in the basis 

25 engine. The discs upon which such a wobble is detected are marked pre-recorded, 

whereas discs without a wobble are marked recordable. In this way, the wobble can be 
uried for distinguishing pre-recorded discs from recordable discs. 
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In the second solution, for additional security, the proposed ROM-wobble can 
have a payload, which is (cryptographically) tied to the content, e.g. by using the payload in 
the watermark. This is where the wobble shows its real strength. The wobble could also be 
tied to CSS, which has the added bonus of providing an upgrade path. 

5 

The problem with introducing the ROM-wobble is the presence of legacy 
ROM-discs with CSS content that do not have the wobble. I.e. there are 2 types of discs 
without a wobble: i) recordable or rewriteable discs which should be rejected when 
comprising protected content, e.g. CSS protected content, ii) legacy pre-recorded discs which 
10 should be played back (even when comprising (CSS) protected content). Therefore, it is 
required that in the content on "new" discs there will be a "wobble-trigger" (as well as the 
payload). This trigger has the following requirements: 

• It i ihould be easily detectable from looking just at the content 

• It should not be easily removable by a hacker 
IS • It sihould not affect content preparation 



Resul ts known thus far; limitations 

Previous solutions did not meet all of the above criteria. Watermarks 
embecded in the video are not easily detectable: the content is CSS-encrypted, and checking 
20 for the* watermark requires decryption, which is typically expensive in a DVD-drive. 

An alternative watermark method on the level of the MPEG stream (so called 
PTY marks) is easily detected, but is not acceptable from the viewpoint that the impact on 
content preparation should be low. 

Straightforward methods of setting a few bits in the CSS encrypted content are 

25 easily hacked. 

Proposed solution i. 

CSS-encrypted content is typically decrypted both in hardware (in tabletop 
DVD- players) and software (in PC's). Software decryption slows down the PC substantially, 
30 and s<xiously degrades the viewing quality of the DVD-film. To ameliorate this situation, 

only 8, limited fraction of the video stream has been encrypted in the DVD-mastering facility. 
The sixeam is divided into so called packs of 2 Kbytes each, and typically somewhere 
between 10-50% of the packs have been encrypted. The invention is based on the recognition 
that a message for the purpose of copy protection may be transmitted by the deliberately 
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encrypting packs following a certain pattern. As an example, encrypt the packs according to 
the rule: 

u -. u _u_ e — e-u — u — 11 — e — e— u^u— u — e — e — u — u — u — e -e — .... 
to transmit a c 0' message, and 
5 u — u — u-u-e-e — n-u — u — u — e-e-u-n — u — u-e — e — 

to transmit a 'V bit, where c u* stands for an unencrypted pack, and V for an encrypted one. 
For a 1 lacker to remove these messages (which would be interpreted by the DVD-player in 
accordance with the purpose of this invention to expect an appropriate disc~mark like the 
wobble) he would need to decrypt CSS and re-encrypt it; decryption is not enough, because 
10 the watermark can be detected in clear content. The particular manner to encode information 
in the pattern of encrypted/unencrypted packs should be sufficiently exotic that it has an 
extremely low probability of having occurred in DVD encoded in the past. Therefore 
sometaing like pseudo-random noise patterns of u's and e's would be more suitable* 

1 5 Biased pseudo random noise sequences 

Because the number of encrypted and unencrypted packs per second is not 
equal (the number of V *s is usually quite larger than 'e' 's to facilitate DVD-playback in 
softwsire) the aforementioned pseudo-random patterns would have to be biased somehow. 
The slandard manner to cheaply construct a pseudo-random noise sequence is the LFSR 

20 (linear feedback shift register), which is defined by a so-called irreducible generator 
polynomial of a finite field GF(p% where q is the length of the LFSR. It is common to 
choose p 38 2. However to create a biased pseudo-random sequence with bias 1/s (i.e. out of 
every s packs, s-1 are unencrypted and 1 is encrypted), with s prime, one should choose the 
polynomial over OF(s). The output of the LFSR is then a random sequence of elements 1$ of 

25 GF(s): 0, 1, 2, s-1. If we replace every h by *u' if Is £ 1, and by *e* if 1; = 0, otherwise, we 
obtain a recipe to encrypt the packs with the required bias. 

Proposed solution ii. 

The keys used to encrypt the content are 40 bits long. The second solution 
30 consists of designing a function operating on the key K:-> £(K), where f(K) can be 0 or 1 . £( ) 
haste be chosen in such a way that when operating on the keys used in the DVD-titles 
published so far (on the order of 4000 keys), it always yields 0. The way to enforce the CSS- 
rule would then be that a player reads the disc key K, computes f(K), and if the result is 0, it 
knows that no wobble is necessary (because the key must belong to a movie published in a 
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time when the wobble was not required yet). If the result however is * r, then the player must 
also check for a wobble. If there is no wobble, the disc is an illegal copy of CSS-encrypted 
material on a recordable, or illegitimately mastered ROM disc. 

After introduction of this system, the implication for the publishers is that 
5 before encrypting a movie with key K, they would check whether f(K)=l when they want 
wobbU protection for their content, and f^K)^ when they don't. If the key K doesn't have 
the appropriate properties, a new random K needs to be chosen. In practice this is not a 
problem, because disc-keys arc distributed by a single licensing organisation the 
"DVC_CCA M , located in California. 

10 For this reason a desirable property of f() would be that it would be 0 on one 

half of all possible keys and 1 on the other half; in that case on average no more than 2 tries 
are needed to find a suitable K. There is an additional reason to require f( ) to have this 
property: f( ) would be built into DVD-players and would therefore potentially be known 
publicly. It would be undesirable if the keys of all past 4000 DVD titles could be derived 

1 5 from Iznowing f( ) alone. In the section below we will explain how such a function can be 

constructed from a given set of 4000 arbitrary keys. The conclusion is that f( ) is surprisingly 
simple a) to compute and b) to implement. Implementation requires storage of approximately 
64 40 bit (non-confidential) constants, and computation requires 7 40-bit XOR operations + 1 
shift register. 

20 

Efficient derivation of f( ) 

The derivation of the function f is based on a mathematical result that can be 
stated roughly as follows. Further mathematical details can be found in Appendix A. 

If X is a collection of m-bit keys, of size n, say, then there exists an m-bit 

25 numbsr a such that if we partition the collection X into two parts according to the value of the 
XOR of elements from X with a, then each of the parts contains about half of the elements of 
X. If a is chosen at random, then for each e>l, the probability that the sizes of both parts 
differ from n/2 by at most e.sqrt(n) is at least 1/(1 -e). Also, if n<m, then there is an a such 
that tlie XOR of a with all elements from X is 0. 

30 Using this result, we can construct a function f such that the evaluation of f(K) 

can b; arranged in the form of a binary decision-tree of depth d with d approximately equal 
to log(n) - log(m), where logO denotes the base-2 logarithm. Here, in each node v of the 
decision-tree, we compute the m-bit XOR of K with the m-bit number a(v) corresponding to 
this node; we let the result of this XOR determine which of the two branches from v will be 

llilfi:G)7i^^ffl 
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followed. The value of f(K) will be the computed XOR- value at the end-node that is reached 
after d steps. 

In the above practical case, we have n = 4000 and m=40, so that d is about 7. 
The decision- tree will contain 2 d -l 5 so about 127, nodes, which means that we will have to 
5 store shout 127 40-bit numbers a while an evaluation of f will require about d - 7 m-bit 
XOR 7 s. 



Both proposed solutions have as an advantage that the "wobble trigger" does 
not need decryption and watermark detection. This is accomplished by embedding the 
10 trigger, used to distinguish new, wobbled media from legacy discs, in the encryption instead 
of in the watermark. 

The solutions have as additional advantages: 

• Wobbled discs play on legacy players; 

» The encrypted content on wobbled discs contains a secure, wobble trigger which is hard 
15 to remove; 

• Legacy discs play on new players, because the wobble trigger is not present, so the player 
wi 11 not check on the existence of a wobble. As a result the wobbled discs and the not- 
wobbled discs can co-exist; 

• Tlie wobble provided an optional extra level of security; 

20 • The wobble works with CPPM (Copy Protection for Pre-recorded Media; the copy 
protection scheme for DVD-Audio) or CSS; 

• Wobble detection in the drive requires limited hardware cost (5-6 KOates). 



Although the design of the 2 schemes outlined above has been specifically 
25 triggered by problems in the DVD arena, it is conceivable that in particular the second 

proposed solution in this disclosure has a much wider range of applications. E.g. a revocation 
scheme could be based on this. A player would have the general structure of the function f( ) 
on board, but It would load the constants dynamically. 



30 In Figure 1 a schematically drawing of an apparatus for reading out an 

information carrier is shown. 

Figure 1 shows an apparatus according to tine invention for reading of the 
information carrier 17. The apparatus comprises driving means 26 for rotating the 
information carrier 17 and a read head 27 for reading out the tracks present on the 
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inforniation earner. The read head 27 comprises an optical system of a known type to focus a_ 
light spot 28 on a track by means of a beam of light 29 guided through optical elements like a 
collimator lens 39, to collimate the beam of light and an objective lens, to focus the beam of 
light This beam of light 29 originates from a radiation source 41, e.g. an infrared laser diode 
5 with a wavelength of 650 mn and an optical output of 1 mW. The read head 27 further 
comprises a tracking actuator for fine-positioning the light spot 28 in the radial direction in 
the middle of the track. Adjusting the position of the light spot to the position of the track can 
also b » achieved be changing the position of the objective lens 40. 

After being reflected by the information carrier 17, the beam of light 29 is 

10 detected by a detector 42 of a known type, e.g. a quadrant detector en generates detector 
signal 3 3 1 including a read signal* a tracking-error signal, focussing-error signal, 
synchronisation signal and lock-in signal. E.g. a beam splitting cube 43, a polarising beam 
split&ig cube, a pellicle or a retarder can be used for this. The apparatus further comprises 
trackuig means 32 connected to the read head 27 for receiving the tracking-error signal of the 

15 read bead 27 and for steering the tracking actuator 30. During reading out the information 
carrie?: 17 the reading-out signal is converted in the read out means 34 into output 
information 33 the read out means for example comprising a channel decoder or an error- 
corrector. The apparatus further comprises an address detector 35 for retrieving the addresses 
from ihe detector signals 3 1 and positioning means 36 for coarse positioning the read head 27 

20 in de )*adial direction of the trade The apparatus further comprises detection means 48 for 
receiving the detector signals 31 from the read head 27. The detector signals 31 are used by 
the detection means 48 for synchronising the read out means 34. The apparatus further 
comprises a system control unit 37 for receiving commands of a controlling computer system 
or a user and for regulating the apparatus by means of control lines 38, e.g. a system bus 

25 connected to the driving means 26, the positioning means 36, the address detector 35, the 
tracking means 32 and the read out means 34. 

In this apparatus for reading out information on an information carrier a check 
is performed which results in a possible refusal to play back the information carrier if a 
predefined condition, substantially as described above, is not matched. 

30 With reference to Figure 2 and Figure 3, the following checks can occur in the 

play tack apparatus according to the invention (it must be noted that a legacy disc is a pre- 
recorded disc comprising encrypted content, a wobbled disc is a pre-recorded disc 
comprising a wobble, a legacy drive is an old compliant drive, a new drive is a new 
compiant drive): 
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• legacy drive + legacy disc pass; 

• legacy drive + wobbled disc pass (the "old" legacy drive doesn't see the disc-mark, i.e. 
the wobble, but doesn't notice the wobble trigger either); 

• new drive + legacy disc pass (the new drive doesn't find the disc-mark on the old disc, 
5 but no wobble trigger either); 

• new drive + wobbled disc pass (the new drive finds the wobble trigger and also finds 
the: wobble; as an option, to further strengthen the copy protection scheme, the payload of 
the wobble can be detected and checked); 

• new drive + non-legacy disc -> fail (the new drive finds the wobble trigger, but doesn't 
1 0 fir id the wobble, necessary for playing the content on the disc). 



It must be noted that the invention as described above is not limited to the 
embodiments explained. For example, the invention is not only related to DVD ROM-discs, 
but to all pre-recorded media in general. Further, the invention is not only related to a 

1 5 wobble, but to all physical disc marks, which can be used for distinguishing pre-recorded 
discs from recordable discs. Further, the invention is not only related to CSS, but to all 
encryption schemes. Further, the invention is not only related to the triggers as described 
above, but related to all triggers obeying the following conditions: i) detection of the trigger 
is possible without decrypting the content, ii) the trigger can not be removed without 

20 decrypting the content. 
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APPENDIX A 



Chapter 1 
Introduction 

1.1 Origin of the problem 

In this section, we will explain the origin of the problem that we investigate 
in this report. 

At this time, a certain encryption method is used to encrypt so-called 
DVD-discs. DVD-discs are CD-Rom-Uke discs containing for example entire 
movies and are played by the end user on a DVD-player. We call the data 
written on the DVD-disc the content and the owner of the copy rights of the 
content the content provider. 

In the near future, the end user is able to copy prerecorded DVD-discs 
onto its own recordable DVD-discs. Because this could be a problem for 
the content providers, there are regulations about the ability of viewing the 
content of recordable DVD-discs. These regulations say, for example, that a 
DVD-player should not be able to play certain content when recorded by an 
end user, that is, when recorded on a recordable DVD-disc- 

To comply with the regulations, the DVD-player should have a method to detect 
whether the disc inserted is a prerecorded disc or a recordable disc. We have 
developed a method for doing this by inserting a physical disc mark, e.g. a so-called 
ROM-wobble, This disc mark imposes writing some extra information on the 
prerecorded DVD-disc, which can not be written by the DVD-writers of the home 
users. The new DVD-player then can easily detect the nature of the inserted disc by 
reading that extra information. 

Now there is one "little" problem: all the existing prerecorded discs don't 
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have this extra information, so the new DVD-player would consider any existing disc 
as ?. recordable disc and therefore not play it. Now we should design the new DVD- 
player in such a way that it does not perform the prerecorded/recordable detection if 
the content is"old", where we call the content that has already been released on 
prerecorded DVD-discs "old" and the content that we want to write on DVD-discs 
with the new physical disc mark "new M . 



In practice, each content has a unique title key. This is a 40-bits key 
attached to the content which can be read by the DVD-player. The DVD- 
player could use this key to determine whether it is "old" or "new" , where the 
"old" keys are the keys of the "old" content. However, these title keys are not 
public; therefore the DVD-player may not use the method of keeping a list 
of the "old" keys and checking the occurence of the key of the inserted disc 
in this list. Furthermore, the content provider should be able to create more 
"old" keys, for example for producing DVD-discs of which the copies may 
be read at all times. In contrast to the "old" keys, the "new" keys may still 
be chosen, so the DVD-player has to be able to decide whether the proposed 
key is surely "new" or possibly "old" . After finding an implementation for 
this, we can find a construction for the "new" keys such that they will be 
recognized by the DVD-player in the right way. 

At the moment the number of title keys of released DVD-discs is about 
2000, So this is approximately the amount of "old" keys we have to deal 
with. 

Now we can conclude that we have to implement an algorithm in the 
DVD-player that performs this "key detection" having the following proper- 
ties: 

1. It has as input one 40-bits key and it has two possible outputs: one 
saying £ thiB key is possibly "old" \ the other saying 'this key is surely 
"new" 

2. it contains in itself as little information as possible about the "old'* 
keys; and 

3* it can be easily implemented in hardware. 

Having these precise specifications for the key detection algorithm we can 
look at the problem of finding it in a more sophisticated way. 

Let us first consider the set of all possible title keys. In the above case 
this is equal to the space consisting of all binary vectors of length 40. Let this 



Printed:07-05-2001 



® 



— -^-^Y '00 09:38 PHILIPS CIP Ni^^ Q »^^ M — 

10-05-2000) PHN L000262EPP 1EP00201 669.9 



10 09.05,2000 




space be denoted by V, where V = FJ 1 , that is, the m-dimensioual vector 
space over F 2 , where m = 40. Throughout this report F^ will denote the 
Galois Field, or, equivalently, the finite field of order q. Note that q has to 
be a prime or one of its powers. 

Now let the given set of "old" keys be denoted by X, that is, we have 
XCV and let n be its si2e, that is, n = \X\> As above, in practice we have 
n as 2000. 

The first two desired properties of the key detection algorithm leads us 
to the following idea: perhaps we can easily partition the space of possible 
keys in two equal sized halves, one of which containing all the "old" keys, 
the other none of them. The key detection algorithm then only has to detect 
whether the input key is in the "old half" or not. Besides, this makes it 
very easy to find new keys, even new "old" ones; one can just pick vectors 
randomly until a right one is found. 

This idea together with the third desired property could give us the fol- 
lowing idea for a solution: try to find the hyperplane H of V that contains 
all the vectors from X and use it as the "old half" . To understand this idea, 
let us first explain what an hyperplane is and give some of its properties. 

A hyperplane of a general vector space V is a linear subspace of V that 
has dimension one less than the dimension of V\ Bach hyperplane is uniquely 
defined by the vector in V orthogonal to it and, conversively, each vector a in 
V\ {0} uniquely defines the hyperplane {v € V|(a, v) =s 0}. Note that •) 
denotes the inner product in the vector space V. Note also that, in contrast 
to many infinite fields, in vector spaces over finite fields there exist vectors 
that are orthogonal to itself. Take for example the vector [1,1] T 6 E^; we 
have that ([1, 1] T , [1, 1] T ) = 1- 1 + 1-1 = 1 + 1=0. (We consider vectors as 
being column vectors.) Another property of a hyperplane in a vector space 
V over a finite field F g is that it consists of the g-th part of the vectors from 
V. So any hyperplane of V ^ FT? consists of exactly half of the elements of 
V. 

Let us now return to the idea as stated above. We can see now that this 
idea about using a hyperplane for the partition of V has two of the three 
desired properties: firstly, it partitions V in exactly two equal sized halves, 
and secondly, testing whether the input key is in the hyperplane or not is 
done by just calculating the inner product of the input key with the vector 
defining the hyperplane. The latter property makes this idea extremely easy 
to implement in hardware. 

However, can we surely find a hyperplane that contains all the vectors 



"Pnnted:©7-05-20at 



10 



PHNL000262EPP 



11 



09.05.2000 



from X, where X C V = FJ 1 ? The answer is no, we cannot. It is only 
possible when X lies in an (rn — l)-dimensional subspace of V\ which is the 
case if the span of X has an dimension of (m- 1) or less. Only if \X\ < m— 1 
we are sure this is the case, and if \X\ » m then it is very likely that the 
span of X has dimension equal to m, or, equivalently, that X spans V. 

So the above idea does only work for sure it\X\<rn. Now we can think 
of the following solution: divide V in several subsets Vi, . . . , V T such that 
each subset contains a sufficiently small number of the elements from X, that 
is, \Xr\Vi\ <m for all i. Then apply the above idea on those subsets, that 
is, find for each subset V{ a hyperplane ff< such that X D Vi C Now the 
key detection algorithm consists of two steps: firstly it determines in which 
subset Vi of V the input key lies and secondly it computes the inner product 
of the input key with the vector defining the hyperplane H\. 

The greatest problem now is how to divide V into T subsets in a smart 
way. Of course, we can again use hyperplanes to perform this partition, 
namely by the following partition steps. In the first step (t = 1) we divide 
the m-dimensional vector space V by a hyperplane H into 2* = 2 parts 
Vo — H and Vi = V\H. After that we divide the obtained 2* subsets by 
(different) hyperplanes, thus creating a new partition of V into 2 t+1 subsets. 
We can repeat this step several times until, after t steps in total, the obtained 
2* subsets are small enough. Note that we can consider the obtained subsets 
after t steps as (m — t)-dimensional subspaces of V (we need to translate the 
origin of the vector space V for some subsets to have this property). Note 

also that each subset is uniquely defined by the 1 + 2 4- 4H h 2 t-1 = 2* — 1 

subsequent hyperplanes which are used to partition V. These hyperplanes 
are again uniquely defined by 2* — 1 vectors from V. 

It is clear that the total partition would be optimal if the subsets each 
contain approximately the same number of elements from X. This can be 
done by choosing the partitioning hyperplanes in such way that they also 
partition the corresponding subset of X into two equal halves. For example, 
in the first step we have to make sure that |VoHX| « JVinX|, or equivalently, 
that \X n H\ is close to \X\/2. 

Take for example X C V = with \X\ = 2000, values that in practice 
are expected. After 6 times partitioning V, we have constructed 2 6 = 64 
subsets of V which have in the ideal case all an intersection with X of stee 
approximately 2000/2° fts 32 < 40. In this case the key detection algorithm 
has built in the 63 vectors defining the hyperplane partitioning of V into 64 
subsets, which it can use to determine in which subset Vi the input key lies. 
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After that it can use the vector defining the hyperplane Hi to test whether 
the input key could be an element of X or is surely not an element of X. 

This construction of a key detection algorithm would work well if we could 
find the hyperplane of V partitioning X in approximately equal sized halves. 
The problem consists of the two following questions: 

• How well can we "halve" the set X by a suitable hyperplane, or, equiv- 
alent!^ how well does the optimal hyperplane perform the partitioning 
of XI 

• How to find this optimal hyperplane? 
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Chapter 2 

The vector partition problem 
over F2 

2,1 Introduction 

In this chapter we present the basic problem, which can be stated as follows. 
Given a set of binary vectors, how well can we "halve" this set by intersecting 
it with a suitable hyperplane? Or, stated more precisely: given a subset X of 
a vector space V over Fa» find a vector a 6 V\ {0} such that the hyperplane 
H a := {v £ V\(vi a) = 0} and its complement partition X in parts of about 
the same size. We will refer to this problem as the vector partition problem 

over^- 
We will first be interested in how well we can partition the set X in this 

way. The question of finding a vector a that realizes the optimal partition of 

X will be studied in Section 4.4. 

In the next chapter we generalize this problem to its weighted version 

over a general field F q . 

In Section 2.2 we present the precise problem statement. In Section 2*3 

we shall convert the problem to a relating coding problem concerning the 

occurrence of weights close to n/2 in a binary linear code of length n. A 

solution of this coding theory problem is presented in Section 2.4 and will be 

discussed in Section 2.5. 
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2.2 Precise problem statement 

Throughout this chapter, V will denote a fixed m-dimensional vector space 
over F 2 , that is, V = We define V* = V\ {0}. For a e V* } we will 
denote the hyperplane {v S V\(v, a) ~ 0} orthogonal to a in V by H a . When 
we speak about the dimension of X, we will mean the dimension of the 
subspace spanned by X> 

We desire to "halve" a given set X C V as well as possible by intersecting 
X with some hyperplane H a , that is, we are interested in the minimum 



S(X) := min 



\H m nx\-\x\/2 



(2.1) 



which measures how well we can do for this set X. We should not include 
the case a = 0, but for reasons of simplicity we still write V instead of V*, 
which could by justified by defining Ho = V\ Note that the minimum will 
never be attained by a = 0. 

We would like to obtain upperbounds on &(X) given only the dimension m 
of V and the cardinality \X\ = n of the set X C V, i.e., we would like to 
obtain information on 

f{m,n):=mzx6(X). (2.2) 

We will see below that the quantity 6 (X) does not depend on dimension of 
the precise vector space V in which we embed -X", but only on the dimension 
of X itself. Therefore, instead of carrying on with the function /(m,n) we 
define 



\X\tm 

We now have the following. 

Lemma 1 With /(m,n) and g(k,n) defined as above, we have 

/(m,n) = max g(k } n). (2.4) 

Proof: Obviously, for any X C V for which /(m, n) = 6(X), we have that 
k = dim(X ) < m. Hence /(m, n) < g(k, n) for some k with 0 < fc < m. 
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Conversely, let X be such that dimpQ = * < m and $(&,n) s <J(X). 
Embed X in V by adding m-k coordinates to the vectors from X with value 
zero. It's clear that this doesn't affect the quantity &{X) nor the dimension 
of X. Hence /(m, n) > S(X) = g(k, n) for all k with 0 < & < m. U 

Note that this lemma proves that /(m, n) is non-decreasing in m. Fur- 
thermore, we may suppose without loss of generality that 0 £ X. Indeed, if 
we define X + d for d € V as {x + d\x € X}, then, except for the trivial case 
X = V, we can always find a d € V such that 0 £ X + d; the fact that this 
translation doesn't affect how well we can halve the set X by a hyperplane 
H a , is stated in the following lemma. 

Lemma 2 We have 



Proof: For any hyperplane H a in V and for all d € V, we have 
H a n (X + d) = {x S A- +d|(a,a;) = 0} = {* 6 X|(a,a; + d) = 0} 



Now, by using the definition of S(X) in (2.1), we can easily see that in both 
cases 6{X + d) = 6(X) holds. □ 

2.3 A related coding problem 

In this section, we will reformulate the vector partition problem in terms of 
coding theory. This will result in an alternative formulation of 6(X), in which 
the weights of codewords in a code corresponding to X play a prominent role. 

Let supp(c) and w(c) be the support and Hamming-weight of c, respec- 
tively, that is, 



6(X -rd) = 6{X) for all deV. 



(2.5) 




(2.6) 



supp(c) := {»|ci # 0} 



(2.7) 



and 



iy(c) := |supp(c)|. 



(2.8) 
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Now let X C F| with n = \X\ and dim(A") = A; be the set that we want 
to partition. Let G{X) be the k x n-matrix which has as its columns the 
vectors from X. Note that G(X) has full row rank. Let C(X) be defined 
as the binary [n, fc]-code generated by G(X), i.e., C(X) is the row space of 
G(X). When no confusion can arise, we simply write C instead of C{X), 

Recall that we assumed 0 £ X , so we have that the code C is projective: 
the columns of its generator matrix are pairwise linearly independent. 

Now we are ready to write 6 (X) in terms of the weights of the codewords 
from C{X) as stated in the following lemma. 



Lemma 3 We have 



S(X)^m^ ) \n/2-w{c)\. (2.9) 



Proof: Let c(a) =: a T G(X) € C. Note that we may think of the coordi- 
nates of c(a) as being indexed by the set X = {x x x„}, where the i-th 

coordinate Cj(a) of c(a) equals (o, x<). As a consequence, we have 

\H a nX\ = \{xzX\(a,x)=0}\ 

= \{l<i<n\*(a) = Q}\ 
-n- |supp(c(o))| 

= n - w(c(a)). (2.10) 

Hence 

S(X) = mm||H 0 DX\- \X\/2\ = mm\n - w{c(a)) - n/2\ 

where the last step is justified by the existence of a one-to-one correspondence 
between vectors oSlfj and codewords c e C. □ 

Because of the correspondence between sets X with dim(X) = k, \X\ = n 
and binary projective [n, fc]-codes C, we can write g(k, n) as 

g(k,n) = max minJn/2 - w(e)|, (2.12) 
where the maximum is over all binary projective (n, fc]~codes C. 
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As a result we have reformulated the vector partition problem over I2 as 
a problem concerning the existence of codewords with weights close to n/2 
in binary projective [n, fc]-codes. 

Before continuing we introduce some notation from coding theory. The 
dual code C r of the binary [n, fc]-code C is defined by 

C T := {v e F?\(c, v) = 0 for all c e C} . (2.13) 

We use the symbols A w and B w to denote the number of codewords of weight 
w in C and C T , respectively. A and B are called the weight distribution of C 
and C x . 

2.4 A bound 011 j(fc,n) 

The next theorem concerns the weight distribution of binary projective [n, k\- 
codes and will directly lead to a bound on g{k, n). This bound will be further 
discussed in the next section. 

Theorem 1 Let C be a binary projective [n, k\-code with weight distribution 
A. If Ay, =s 0 for all w that satisfy n/2 -R<w < n/2 + R, then 

Equality holds if and only if C i$ a two-weight code with non-zero weights 
n/2 ± R, that is, if and only ifA w ^0 implies that w e {0, ^f 5 , ^f 5 }. 

Proof: Let us define 
and write 

Wl = \ " R > W2 = I + Rt C 2 - 1 ^) 

The proof of the theorem will consist of the following three steps. 
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1. First we will show that JVj, 0 < j < 2, can be expressed in terms of k 
and n only. Since the polynomials (J), 0 < j < 2, form a basis for the 
space of polynomials of degree at most 2, it follows that all expressions 
ELoP(^ ) A» with a known polynomial p of degree at most 2 can be 
calculated explicitly. 

2. Next, we consider the expression 

n 

E = J^pMA" C 2 - 17 ) 

where p{w) — (w — wi)(v> — w 2 ). 

Since p is of degree 2, we can use the results in step 1 to express E in 
terms of n and k only. 

3- Finally, we will use our assumptions on the A w to show that E > 
W1W2 = n 2 /4 — R 2 . As a consequence, we obtain our desired bound on 
R. 

The readers familiar with the MacWilliams Equations (see [9]) and the 
related Pless Power Moments (see [10]), will recognize step 1 as the compu- 
tation of the first three "binomial moments" in this special case. The special 
property of the codes treated here is that they are projective, which implies 
that the minimal distance of their dual code is as least three, that is, the 
first three values of their dual weight distribution B are given by Bo = 1, 
B x = 0, and B 2 = 0. The method of using the Pless Power Moments for 
such purposes originated from Kasami (see [6]). For a recent use of such a 
method, see [11]. 

Let us now turn to the details of the proof. 

1. Note that since counts the number of codewords of weight w, we 
may interpret the expression (^)A^ as counting the number of pairs 
(S,c) with c € C, w(c) = w y S Q supp(c) and |5| = j. As a conse- 
quence, with Nj as defined in (2,15), we have that 

^=e(;K=e r i= s: mu (2-i8) 

«,=0 cgC SCaupp(e) 5C[l,n) 

\S\mj \S\=j 
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where we define 

C[S] = {c € C|supp(c) 3 S} . (2.19) 

Since we assumed that C is projective, we can express \C[S]\ for \S\ < 2 
in terms of n and k only. Indeed, since any two columns in its generator 
matrix are independent, we immediately have that |C[iS]| = 2~ |Sl jC| = 
2 fc-i when |5| = j < 2. So from (2.18), we now immediately have that 

N 0 = 2 fc , JVi = n2 k ~\ iV 2 « Q 2*" 2 . (2.20) 

2. Now consider the expression B in (2.17). We will use the expressions 
for Njy 0 < j < 2, in (2.20) to compute JS. Since 

p(w) = (w — xi;i)(ui — ta 2 ) 

= 2 ( 2 ) " {Wl + W *'V (?) + WlW2 ( o) ' (2 21) 

we have that 

E — 2N 7 - (wi -h w 2 - l)Ni + tyi^No 

= n(n - 1)2*" 2 ~ (n - l)n2*" 1 + (^ - i* 2 )2* 

= (^ - it 2 )2* - n(n - 1)2*- 2 . (2.22) 

3. By assumption, p^)^ = 0 for wi < v) < ti> 2 , and obviously p(w)A iif > 
O for 0 < w < Wi or wi < w < n. Since p(0) Ao — Wiw%, we immediately 
have that 

n 2 

jE 1 > w x w 2 = — • - i2 2 . (2.23) 

Note that we have equality in (2.23) precisely when C Is a two-weight 
code with non-zero weights w\ and w^. 

Hence using (2.22) , we find that 

- fl 2 < - tf a )2* - n(r* - 1)2*~ 2 , (2.24) 
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and therefore 

(2* - 1)R 2 < (2* - 1)^ - n(n - 1)2*-* 

= i(n2*-n 2 ), (2.25) 

that is 

□ 

Prom the above theorem, we immediately have the following. 
Corollary 1 We have that 

9(k>n) < i^n-^j. (2.27) 

Equality holds if and only if there eo?i$ts a binary two-weight [n, k)-code with 
weights lying symmetrically around n/2. 

Proof: Suppose C is the binary [n, fc]-code with the distinct column prop- 
erty foT which the maximum in equation (2.12) is attained. Then 

g{k, n) = mhi|n/2 - w(c)|. (2.28) 

Note that the restriction on in Theorem 1 is equivalent to min c ^c\n/2 — w(c)\ > 
R. So Theorem 1 now says the following: if p(Ar, n) > R then 

R < |Vn-(nZ"n)/(2*-l) (2.29) 

which is equivalent to the first statement of the corollary. 

Theorem 1 further states that equality holds if and only if C is a two- 
weight code with nonzero weights n/2±R 9 from which the second statement 
of the corollary follows immediately. Q 

In the sequel, we will refer to the bound in Corollary 1 as the square root 
bound for F2. 
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2.5 Discussion 

la the introductory example (see Section 1,4) we already found a (necessarily 
two-weight) code C that attains the bound in Theorem 1. So this bound is 
sharp for at least some values of k and n. Later on, in section 4.2, we will 
present a family of two-weight codes with weights lying symmetrically around 
n/2, of which the mentioned example is the first one. 

The bound presented here is non-decreasing in k> However, we can easily 
see that #(n, n) must be equal to aero for even n and equal to 1/2 for odd n. 
Indeed, a [n, nj-code is equal to the whole space F£ in which many words of 
weight [n/2j exist. So our bound is bad for values k close to n. However, in 
practice we usually have if<n. 

Furthermore, in practical applications we often have 2 fc » n; in that case 
the bound is nearly equal to \/2y/n y which shows that in such cases we have 
a pretty good bound. For example, if we take fc = 40 and n = 2000, then 
g(k } n) < 22, hence, if we have a collection of 2000 40-bit vectors, we can 
"halve 1 ' the set taking the inner product of its elements with a single suitable 
40-bit vector such that each half contains between 978 and 1022 elements* 
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Chapter 3 

The weighted vector partition 
problem over F q 

3 . 1 Introduction 

In the previous chapter we showed that, given a set X C of size |X| = n, 
there exists a vector a £ F§ such that the hyperplane H a and its complement 
partition X in about two equal halves, and we obtained a precise bound of 
order y/n on how well this ideal can be approached. 

Here we shall generalize that result to general fields F q , q prime power; 
moreover, instead of a given subset X of a ^-dimensional vector space V over 
F 9 , we consider a "weight function" fi : V -> R and we try to find a vector 
a € V such that the hyperplane H* and its cosets each have approximately 
the same total weight. We will refer to this problem as the weighted vector 
partition problem overW g . 

As it turns out, the techniques developed in the previous chapter can be 
generalised to deal with this situation in a similar way. 

Our approach is the following. First we will show that we may assume 
that /x assigns non-negative integer weights to the vectors in V, that is, we 
may assume & : V — > Z+. Then, as in the previous chapter, we define a code 
C(fj,) } now of length n = Ylvev &( v )' Finally, using similar ideas from coding 
theory, we can find an upperbound on the function that we are interested in. 

The organization of this chapter will in general be the same as in the 
previous chapter. Section 3.2 contains the precise problem statement; in 
Section 3.3 we will show that we can assume that ;* is a non-negative integer 
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weight function; this enables us to convert the problem to a related coding 
problem in Section 3.4. A solution of this problem will be given in Section 
3.5 and will be discussed in Section 3.6. 

3.2 Precise problem statement 

Let the weight function p : V — ► R be given, where V is a ^dimensional 
vector space over F q . For A 6 ¥ q , a € V\ {0}, we define the coset H atX of the 
hyperplane H a as 

#a,A:={"€ V|(v,a)-A}. (3.1) 
For all XCy,we also define 

Given the weight function we want to find the vector a € V that 
minimizes the sum of the quadratic differences between the total weight of 
the cosets of H a and their desired values. We denote this minimum by 
so we have 

6(n) nun £ (n(H a ,x) ~ £/*flO) a . (3.3) 

Because J^o,a is not defined, we should not have a = 0 as a candidate for the 
partitioning of V, but for reasons of simplicity we still minimize also over 
a a= 0. Note that, even if we define Ho in a suitable way, the minimum will 
never be attained when a = 0. 

Given an arbitrary weight function ft : V R, we are interested in 
finding a good upperbound on <5(/i). 

For exactly the same reason as in the previous chapter, we will only be in- 
terested in functions fx for which the dimension of its support {v € V~|/i(u) ^ 0}, 
equals the dimension of V. 

To illustrate this, suppose the dimension of the support of fJ> equals m 
with m < k. So there exists a linear subspace M, of dimension m, such 
that m(v) j± 0 implies that v 6 Af. Then for any W C V, we have that 
/i(W) = ^(W n M), from which follows that we could restrict the domain 
of i* from V to its linear subspace M with dimension m, without changing 
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For a similar reason we worked in the previous chapterwith the function 
g(k, n) instead of /(m, n). Here we will simply assume from now on that the 
support of /i has a dimension equal to that of V. 



3.3 Conversion to non-negative integer weights 

In this section, we will show that we can assume that ^ is a non-negative 
integer weight function* This will be achieved in three steps. 

• It is clear that is continuous in for each v e V. Suppose 
p(x) = a € R\<Q>. Because of the continuity of for each e > 0 
we can find a 8 > 0 such that a -t- 8 e Q and 8(fj) — 6(fi) < e f where 
fi(v) = m(v) for v6^\ {x} and /2(s) = a + 8. Hereby we have shown 
that we can "replace" the function values where f*{x) is irrational by 
rational values, thus constructing a rational weight function fa such that 
5(fi) is arbitrarily close to 8(/j)* 

• If we define £ := c/x, that is, fi,(v) — c/*(v) for all v € V, we have 

*(/>) = (A(^) - ^A(V)) 2 



(3.4) 



Prom the definition, it follows directly that 6({j) is invariant under 
translation of the weights. Indeed, if we take p, — fx + c, that is, 
p,(v) = fx(y) + c for all v e V, then 



= mm ^ (Kflu) + 9 fc_1 c ~ \tM<y) - 9 fc - l c) 5 



(3.5) 
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By applying these three steps we can " transform" the image of V under 
y. from Bfc to Q, then to Z and eventually to Z + . So from now on we will 
assume that fi is a non-negative integer weight function on V. 

3*4 A related coding problem 

In this section, we will convert the weighted vector partition problem over 
F q to a problem formulated in terms of coding theory. We will construct a 
code from the given non-negative integer weight function resulting 
in an alternative formulation of S(fj) in terms of generalized weights of the 
codewords in C(/i). 

For A 6 F q , let supp A (c), w A (c), and w(c) be the \-$upport> A-weight, and 
generalized weight of c, respectively, defined as 

supp x (c) {i\a = A} , (3.6) 
w A (c) := |supp A (c)|, (3-7) 
w(c) := (w A (c)) >6JV (3.8) 

Furthermore, we write [0,n] = {0,. . . ,n}, and we use 1 and e A , A € F^, 
to denote the all-one vector and the A-th unit vector in [0,n]* 7 respectively. 
Also, for a generalized weight w = w(c), c € C, we let 

IMI^ JX>a> (3.9) 

V * 6F « 

that is, |)w|| is the I^-norm of the vector w. 

Finally, we let A denote the generalized weight distribution of a code C 
by defining 

A„ := |{c € C|w(c) = w}|. (3.10) 

Let fj, : V = F* — > Z+ be the weight function for which we want to find 
a hyperplane H a such that the cosets of this hyperplane have approximately 
the same total weight. Let n = p(V). 

Now let G{fj) be the k x 7>matrix, which has the vectors v of V as its 
columns, each repeated fx(v) times. We define C(/jl) as the code generated 
by G?(/i)i When no confusing can arise, we will just write C instead of C(/u). 
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Then C is a [n, fc]-code over F fl . Note that we still assume that the dimension 
of the support of /i equals A;, so that G(/z) has full rank. 

Now we are ready to write 5(n) in terms of the generalized weights of the 
codewords from the code C{y>) as stated in the following lemma. 



Lemma 4 We have 



<W = mia l|w(c)^^l|| 2 . (3.11) 



Proof: Let c(a) « a T G{fi) € C(/x). Then we have 



- E 1 - |{1 < i < nKo, <?0*W = c(a)i = A}| 

l<*<n 

* w A (c(a)). (3.12) 



Hence 



=min^ (^(ff^) - i#*CV»" =mmX; (Wc(a)) - J) 3 
= min ||w(c) — — 1|| 2 , (3.13) 

where the last step is justified by the existence of a one-to-one correspondence 
between the vectors a£V and codewords c € C □ 

We conclude that the hyperplane H a that partitions V best corresponds 
to the codeword c whose generalized weight lies closest to £1. 



9 



3.5 An upperbound on S(fi) 

The next theorem gives an upperbound on 5{p) for arbitrary non-negative 
integer weight functions \x : V = F* -> Z + with support of dimension fc. This 
bound will be further discussed in the next section* 
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Theorem 2 For any non-negative integer weight function n : E* — > Z+ unifr 
support 0/ dimension fc, we have 



(3.15) 



Proof: For all j 6 [0, n]«, we define 
where (J) is the generalized binomial coefficient, defined as 

The proof of the theorem will consist of the following three steps, which 
are essentially the same steps as in the proof of Theorem 1. We assume 
that /i is an arbitrary weight function with the properties as stated in the 
theorem, and we let C = C(fi)^ with generalized weight distribution A* 

1. First we will show that we can express N Qt X)asf, » 52;^ 

in terms of q 7 k, n and ]£ v€eV A* 2 ( v ) on ly- Since the multivariate polyno- 
mials (y) form a basis for the space of multivariate polynomials in the 
variables w$i, A e F q , it follows that certain expressions 52w€wP( w )<Aw 
with known multivariate polynomial p can be explicitly calculated. 

2. Next, we consider the expression 

E := £>(w)A w , (3.17) 



where 



p(w):= ||w-|l|| 2 . 



Using the results in step 1, we can express E in terms of q, k, n and 
Z)„6vM 2 («) only. 
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3. Finally, we use Lemma 4 to obtain restrictions on the generalized 
weights of the codewords from C. We use these restrictions to show 
that E > a=in 2 + (q k - l)6(ix). As a consequence, we obtain the de- 
sired bound on 

Let us now proceed to the details of the proof. 

1, Note that since A w counts the number of codewords of generalized 
weight w, we may interpret the expression (J) A„ as counting the 
number of pairs (S,c) with c 6 C, w(c) = w and S = {S\)^ 9 with 
S\ C supp A (c) and \S\\ = j A . As a consequence, with JVj defined in 
(3.15), we have that 

^ = EI C K^)a 6F ,]|, (3.18) 

where the sum is over all (S x ) x& - q with S x C [1, 71] and \$ x \ = j*, and 
where C[(S A )i eF J is defined by 

C[(.Sx) Xe v.] := {c € C!supp A (c) 2 S x for all A € F,} . (3.19) 
Taking j = 0, we have 

No - \Cm x&q ]\ = \C\ = q*. (3.20) 
If we let j = ae x for some integer a > 1, we have that 



N «*x = 2H C€ C\su.pp x (c) D S}\. (3.21) 

So we have that 



|5|«a 



5D = £ C|« - A}| 

= EEK c ec| Ci = A}| 

n 

= S |C| = (3.22) 
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In order to compute ^AgF* Nn ax , note firstly that, given some set 
{*> j} £ [1>^]. tlw following holds. 



|{c€ C|fife = c,}| = |{o € V|(a,G<) = (a,Gi)}\ 
= \{aeV\(a,G i -G j )=0}\ 

>|=«* if Gi=Gj; 

\HGi-Gt I = otherwise. 



={! 



(3.23) 



Secondly, note that 



E ( A( 2 V) ) 

= ^ (5Z'* 2 C tr ) " n J , and 
({ij} £ + Gfj}J = Q - C [l.nJIGi - G;} 

Combining the above, we find that 

= - 9" + (9 - 1) £ A* 2 (^))- O-M) 

2. Now consider the expression E in (3.17). By using some manipulations, 
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we can write E in terms of N 0 , Y,\er, W*» ICasf, *h*x 38 follows. 

-E5KT)+p-*>(?) + # , C?>'- 

= 2 2 ^ + (1 - 2^) £ JV„ X + g(|) 2 JV 0 (3.25) 

ASF, Q A€F, 

Using (3.20), (3.22) and (3.24), we obtain 

E = 2\q k ~\n 2 - qn + (9 - 1) S> 2 00) + (1 - 2?W + V 

= («-i)9 fc - 1 E^w- ( 3 - 26 ) 

3. By Lemma 4, we have that 

|| w ( c ) - 2i|| 2 > e5(/z) for all c € C, (3.27) 

We know that 0 € C and we have p(w(0)) = p(ne 0 ) = n 2 ($ - l)/q. As 
a consequence, 

E = £ P( w >^w = 5Zp(w(c)) 

= p(w(o))+ 2 lMe)-£i|| 2 

c6C\{0} 9 

> ^— ^n 2 + (q k - l)eJ(M). (3-28) 
9 
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Hence by (3.26), we find that 



-in 2 + ( g fc - < (g - l)?*" 1 J> 2 (</) 



(3,29) 



Recall that we defined n = Ylvev n( v )* After this substitution the 
statement of the theorem immediately follows. 



We will refer to the bound in Theorem 2 as the square root bound for F< 



In this section we first will show that the "new bound", that is, the upper- 
bound on S(fj) found here, is in fact the same as the "old bound", that is, 
the bound found on 6(X) in the previous chapter. After that, we will show 
that the bound on S(fi) presented here can be written as a constant times 
the variance of p. We will also look at a small example. 

First, we will show that the new bound of this chapter indeed generalizes 
the old bound in the previous chapter, that is, the new bound reduces to the 
old bound in the case where q = 2 and /2 : V = F§ — ► {0, l}is the indicator 
function im x of the set X C V with \X\ = n. The indicator function fix is 
defined by fi x (x) = 1 if x G X, /z*(a;) = 0 otherwise. 

Now we have n = \X\ = /x(V) = £ v€V M(u) = E veV ^(v)i so the new 
bound is in this case 



Note that we have that /*x(JJ ft| o) - \H a nX] and « \X\ - \H a n 

X\. With use of the definitions of Sfyix) and 6(X), we now have that 



□ 



3.6 Discussion 




(3.30) 



S{lA X ) = min2(\H a r\X\ - |X|/2) 2 = 28\X). 



(3,31) 
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Substituting (3.31) in (3.30) gives us the old bound as follows. 

«H*> s»(f,/»- £5=)'. 

so that 

Next, we show that the bound on 5(jj) that we have found in this chapter is 
a linear function of the variance <7 2 (/i) of /a. As usual, we define <7 2 {y) as 

<tV) -= S(^) * P)* where (3-33) 



^ : =I^ (3.34) 

1 1 WGV 



It is easily seen that 



= 3 fe - i(E ■ (3.35) 
Substituting the above expression in the bound of Theorem 2, we obtain 

*oo < ( V\/-V 2(M) - (336) 

This shows that the upperbound on how well we can partition the weighted 
vector space V with a hyperplane H a under the weight function /i depends 
in a linear way on how the weightB are distributed. If all weights are equal 
we obtain an upperbound of zero, while weights that are arbitrarily spread 
out lead to an arbitrarily high upperbound. 

Let's have a look at an fairly randomly chosen example for which q = 8, 
k = 40 and a weight function that takes 1000 times the value 1 and 1000 
times the value 2 and equals zero for the rest of the space V = IF| Q . Ideally 
we partition V in 8 subsets with each total weight (1000 + 2 • 1000) /8 = 375. 
Theorem 2 then gives us the bound S(fj) < 4375. If this bound would be 
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attained, then this means that the total we ight of each subset would each 
have an average distance of about y/4375/$ 23 to its desired value of 375, 
The maximum distance of the total weight of one subset to 375 would be 46 
(which can only happen if six of the other seven subsets would have the ideal 
total weight). 
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Chapter 4 
Other results 



4 . 1 Introduction 



4.2 A construction of sets attaining the square- 
root bound for F2 

In this section we will show a construction of sets X for which the square-root 
bound for F2, stated in Corollary 1, is attained. This proves that this bound 
is sharp for certain values for k and n. We also will consider strongly regular 
graphs corresponding to two-weight codes. 

First we will present a lemma which enables us to give a construction 
of sets X attaining the square-root bound for F 2 . This lemma gives the 
maximum number of m-dimensional linear subspaces of an mfc-dimensional 
vector space that intersect trivially, that is, intersect in {0} only). 

Lemma 5 The maximum number of k-dimensional linear subspaces Vi of 
FJ 1 * for which n V 9 » {0} if i ^ j equals (q 7 "* - l)/{q k - 1). 

Proof; The field F™ fc contains IF* as a subfield, and E* contains F g as a 
subfield. For z,y € I***, define 

x ~ y if and only if x = Ay for some A 6 E}\ {0}. (4.1) 
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We claim that ~ is an equivalence relation. Indeed, obviously, if x>y> z € 
F* m , then x ~ y (reflexive), if a: ~ 3/ then i/ ~ a: (symmetric), and if x ~ y, 
y je; then a; ~ ^ (transitive) . 

Let Eo = {0} , Ei j . . . , Er denote the equivalence classes of n, and write 
Vt-EiU {0}. 

We claim that V< is an W q -linear subspace of dimension fc. To see this, let 
o e Ey. Then 

V 4 = {Ao|A€l*} (4.2) 

is obviously F 9 -linear. Also, |VJ| = = q h , so as an F g -linear space, we 
have dim^ (K) = fc. 

Fot i > 1, we have = - 1 and we already had | \jfL x B % \ = 
{0} | = q mk - 1, so now follows R = (g m * - l)/(q k -1)- ° 

The following lemma shows us how to construct sets X C l£* for which 
the intersection of X with a hyperplane has only two possible cardinalities, 

Lemma 6 Let V = I^* and 0^)i<i<ft & e 0 coMeetion of k~dimensional linear 
subspaces of V for which H Vj = {0} /or aJJ * f j u^i/i i 7* j . Jf 

X-L)VA{0}, (4.3) 

then, for any hyperplane H of V } 

\XC)H\€ {(R — - 1) + 9* - 1, ^U*- 1 - 1)} . (4.4) 

Proof: Let V, (Vi)i<x<Ji and X be as in the lemma. Let H be an arbitrary 
hyperplane of V. Then we have that 

\Xr\H\ — ^(\Vi r\H\- 1), (4.5) 
i=l 

and 

dtawna)-/?"^ , (4.6) 

v ' \diin(V3)-l otherwise, 
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from which follows that 

W n = (4.7) 

[q* 1 otherwise. v 

Now we claim that H contains at most one of the T^'s. Indeed, if i £ j, then 
ViC\V, = {0}, hence V { U V s spans V. 

By substituting (4.7) in (4.5), we obtain that 

* 1 \i?(9*" - 1) otherwise. v ' 

□ 

Now, by taking q = 2 and picking the right value for R in the previous 
lemma, we can construct a set X C S?§* such that 6(X) = s(2fc,n). Indeed, 
we have the following. 

Theorem 3 Let q = 2, k > 1, and iei V 1? . . . , V& and X be as in Lemma 6. 
Take R := 2*" 1 . Then, writing n = \X\ t we have that 



^=2^ = 1^-^. (4.9) 

Proof: Let V, Vi, . . . , V/t, X and n be defined as above. Note that, since 
| VJ\ {0} | = 2* - 1, we have that n equals R(2 k - 1) = 2*~ 1 (2* - 1) . Note ateo, 
that as a consequence of Lemma 5 there exist (2 2 * 1 — l)/(2 fc — 1) = 2* + 1 
^-dimensional subspaces of V with the desired property, so we may take 
R = 2*~ l . 

Application of the definition of S(X) and Lemma 6 gives us that 



S(X) = min 



\H«C\X\~\X\/2 



^ minflCR - l)(2 fc " 1 - 1) + 2* - 1 - n/2|, }^(2 fc " 1 - 1) - n/2|) 
= min(2*- 2 ,2*- 2 ) 

= 2*" 2 . (4.10) 

□ 

Remark that, in order to have the equality S(X) = g(2k,n) we want 
dim(X) = 2fc, so we need R > 2, that is, k>2. 
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As a consequence, the code C(X) obtained from a set X constructed in 
this way is a binary projective two-weight [n, 2A:]-code with weights lying 
symmetrically around n/2. The length n of the code constructed in this way 
necessarily equals 2 fc ~ 1 ( 2 * ~ ^ the non-zero weights are. n/2 ± 2 k " 2 . 

Now the question arises whether there exist any other codes attaining the 
square-root bound. If not, then we can look for a sharper bound on g(k, n) 
for the pairs (fc,n) not covered by the construction above, if so, then the 
question is how to find those codes. 

Also from a coding theoretic point of view the existence of two-weight 
projective codes with weights lying symmetrically around n/2, or even two- 
weight codes in general, is an interesting topic. Note that, by picking an 
alternative value for R in the above theorem, we can "shift" the center of 
the two non-zero weights of the code, thus creating two-weight codes with 
weights not lying symmetrically around n/2. 

Maybe we can either exclude or prove the existence of two- weight projec- 
tive codes with certain parameters by looking at their corresponding strongly 
regular graphs. Let us first give the definition of such a graph. A strongly 
regular graph srg(v, Jfc, A, fj) is a graph with v vertices that is regular of degree 
k and that has the following properties: 

1. For any two adjacent vertices x, y } there are exactly A vertices adjacent 
to x and to y. 

2. For any two nonadjacent vertices x % y, there are exactly fj, vertices 
adjacent to x and to y. 

In [2], Delsarte gave a construction of strongly regular graphs from two- 
weight projective codes. He also proved the existence of two-weight codes 
corresponding to certain strongly regular graphs. From his work, we can de- 
rive the relations between the parameters of two-weight codes (length, dimen- 
sion, weight distribution) and the parameters of the corresponding strongly 
regular graphs (v,k 7 \ and p as in the above definition and the eigenvalues 
and their multiplicities of the incidence-matrix of the graph). 

The literature (see, for example, [1] and [8]) provides us with several 
theorems on the properties of the parameters of strongly regular graphs. For 
example, we have the integrality condition and the Krein conditions. At first 
sight, some of these results seem useful for our purposes, but up to now, we 
did not succeed by these methods to prove the (non-) existence of (families of) 
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two non-zero weight codes for which their (non-)existence was not formerly 
known. 

4.3 Two ways of partitioning F* m 

In this section we consider the following problem* Suppose we axe given a 
weight function ft : V -» R where V — TS^ k . We wish to partition the space 
V into q m parts, where each part has total weight of approximately pi(V)/q m 
and where we use only linear functions to achieve the partition. We can think 
of two ways to produce such a partition, 

1. Consider V as a fc-dimensional vector space over F 9 m , and as partition, 
take the g m cosets of a hyperplane in F 9 *» . Then we can use the square- 
root bound to obtain a guarantee on how well we can do. 

2. Consider V as a fern-dimensional vector space over W q . In a first stage, 
partition V into q parts VJ., . . . s V qy consisting of the q cosets of a hy- 
perplane in F* m . Then, we repeat this procedure in each VJ (note that 
we may consider ^ as a (km - l)-dimensional vector space over F q ), 
etc Again we can use the square-root bound to give a guarantee about 
how well we can do in each partition step- 
Now the question is for which partition method our bounds produce the 

best overall upperbound. 

4.4 Algorithms performing the partitioning 

In Chapter 3, we investigated how well the cosets of a suitable hyperplane 
could partition V such that all cosets have approximately the same total 
weight. 

In this section we investigate how to find a vector a € V that produces a 
good partition of V. We will show that a so-called randomized algorithm per- 
forms well. A randomized algorithm is an algorithm that randomly chooses 
vectors from V and outputs the vector that produces the best result. 

Let fM : V = IB* — ► R be the weight function on V for which we want to 
find a vector a that minimizes 

<W WW - \^ V )Y- (411) 
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Let V\ {0} be denoted by V*. By Theorem 2, there existB a vector a € V* 
for which $«(/*) is at most f?(/u), where 

We would be satisfied if, for any weight function jtz, we find an algorithm that 
always produces a vector a such that 5 a (fi) < 6B{u) % for some 0. Therefore, 
we qualify o to be 6 -nice if 6 a (tj) < SB(fi) holds. Note that, the lower the 
value of 0, the better the performance of such an algorithm. Note also that 
if we could find an algorithm that guarantees this for $ < 1, then our bound 
would not be the minimal upperbound on 6 a (fj,). 

The next theorem essentially states that, for any 9 > 1, a randomly 
chosen vector a € V* has a positive probability of being 5- nice. It states 
a lower bound for this probability in terms of 0. Here we assume that we 
always choose uniformly at random^ that is, each vector a € V* has equal 
probability to be .chosen. 

Theorem 4 Let /i ; V = IF* — >R ie a function with support of dimension 
k, and letd>l. Then we have 

Prob(a is d-nice) > (4.13) 

u 

Proof: Let C be the [n,A;]-code C(fi) over F q with generator matrix G and 
generalized weight distribution A. Since we choose a €. V* uniformly at 
random, we have that 

?nH*i>e-nic*)^ la€V ' ii p,f m >' )) \. (4.14) 

In the proof of Lemma 4, we saw that 

SM - ||w(c) - ^1|| 2 , (4.15) 

where c is the codeword corresponding to a, that is, c(a) = a r G. Hence 

|{« € V'\6 a (n) < 9B(n)}\ = \C X \, (4.16) 
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where 



Ci := {c 6 C\ {0} |||w(e) - ^llf < 9B(n)} . (4.17) 

Define 

E := 5>(w)A„, (4.18) 

W 

where p(w) = ||w — £l|] 2 . As in the proof of Theorem 2, we have that 

E = (q-l)f- x Y^lt(v), (4-19) 

and secondly we have that 
£? = £||w( C )-£l|| 2 



= llw(O) - + 2 ||w(c) - 5l|| 2 + £ ||w(e) - ^1| 

9 c€Ci * c6(C\Ci)\{0) * 



2 



"° >|(C\Ci)\{0}|«(a) 



> ^-^n 2 + (g* - - l)ftB(|i). (4.20) 

By substituting (4.12) and solving for |C X |, we find |d| > (g* - 1)(0 - l)/9. 

Combining this result with (4.16), (4.14), and |V*j = q k - 1, we obtain 
the statement in the theorem. □ 

Now consider the following algorithm: pick iV times a vector from V*, 
uniformly at random, and choose the vector that produces the best partition 
of V. 

Prom the above theorem it immediately follows that the probability that 
none of the N vectors is 0-nice is less than (1 - {9 - I)/*)* = 1/0". So we 
conclude that for 6 > 1 the failure-probability, that is, the probability that 
output of the algorithm is not 0-nice, goes to zero exponentially fast with 
increasing N. 
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4.5 Hadamard-matrix problem description 

We can write the weighted vector partition problem over F, also in terms of 
generalized Hadarnard-matrices. An m x m Hadamard-matrix H is a (— 1, 1)- 
matiix for which W L 'H — mJ m holds, where I m denotes the m x m identity 
matrix. For later use, for any proposition P we define the function Sp as 



fl if Pi 
1 \0 ifPi 



iS true; (4.21) 

is false. 



Let V = 5* . For A in F g , we define the generalized \V\ x \V\ Hadamard-matrix 
indexed by the elements of V, by 

«A(a>6) (4.22) 

Note that for q = 2, the matrix 214$ is an ordinary Hadamard-matrix. 

Let fx : V — ► R be the weight function on V. Let /x* := fj,(v) for all t; 6 V\ 
By a slight abuse of notation 3 we will also use /z to denote the vector (fx^^y 
inR v . 

Now we have that 

- - £02, (4.23) 

from which, using the definition in (3.3), we immediately obtain that 

We see that finding the vector a that optimal partitions V is equivalent 
to finding the smallest quadratic sum over A of the a-th component of the 
vectors H\ix* Now that we have given an alternative formulation for £(/i), 
we can prove Theorem 2 as follows. 

Define 



(4.25) 
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In order to calculate E we first prove that 5^ xsF "Hxftx = (9* — g*" 1 )/^! 
by showing that (£a € f, Hjf-«>)(a,6) = (g* - g*- 1 )^. We have that 

- 53 53 0W)=a - h (^6,v)=a - 

* 53 53 ^v)^*(m)-a - • 53 53 - ^ 53 53 <w>=* + 53 51 1 

= 53 53 <Wo=A <y (*-M==o - -9* - -9* + i«*9 

= (g* - g*- l )*o»&. (4.26) 

Here we used that 53asp, *(u,«)=a » 1, for all u 6 V, and that S a ^ = 1 - 5^. 
Let us now return to the calculation of E. We now have that 

-P X fe«i«A)M = (fl*-B*- l )2:#i!, (4.27) 

where we used that n x ft = 52t>ev /*«• 

By using the definition of ||-||, we have that 



g- l 



(£m.) 8 + <«*-1)*0*). (4.28) 
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Now we can combine (4.27) and (4.28); we thus obtain that 

te* - i)*o*> < ^(s* £ ^ - (E M 2 ). (4-29) 

which is equivalent to the square root bound for W q as stated in Theorem 2. 
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CLAIMS: 



1 . An apparatus for reading out information on an information earner which 

apparatus refuses play back of the information carrier if a predefined condition, substantially 
as described above, is not matched. 

5 2. An apparatus according to claim 1, wherein the apparatus is a DVD-player. 

3 . An apparatus according to claim 1 or 2, wherein the predefined condition is 
the; presence of a physical disc mark present on the information carrier upon detection of a 
trigger, substantially as described above. 

10 

4. An apparatus according to claim 3, wherein the physical disc mark is a 
wobble. 

5 . An apparatus according to claim 4, wherein the trigger is a wobble trigger, 
15 substantially as described above. 

C. An information carrier comprising a physical disc mark and a trigger, 

substantially as described herein. 

20 7. An information carrier according to claim 6, wherein the trigger is a wobble 

trigger, substantially as described above. 

g. An information carrier according to claim 7, wherein the trigger is a single bit 

trigger. 



25 



9. An information carrier according to claim 7, wherein the wobble trigger is 

encoded in a pattern of encrypted and unencrypted packs. 
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1 0. An information carrier according to claim 6, wherein the physical disc marie is 

a wobble. 



5 11. An information carrier according to claim 6, 7, 8, 9 or 10, wherein the 

information carrier is a DVD-disc. 



12. An information carrier according to claim 7, wherein the wobble trigger is 

encoded in a key detection algorithm, which algorithm is used to detect whether the 
10 information carrier contains "old" or e *new** content. 



13. A method of copy protection of content present on an information carrier 

substantially as described herein. 

15 14. A method of exchanging copy protection information regarding an information 

carrier substantially as described herein. 

15. A copy protection system substantially as described herein. 
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ABSTRACT: 



The invention tries to find a realisation of the CSS-rule: CSS encrypted content 



on a recordable disc should be refused. In order to be able to use a wobbled disc for 
distinguishing ROM-discs from recordable discs, it is required that in the content on "new 3 ' 
discs there will be a ''wobble-trigger". This trigger has the following requirements: - it should 
S be eas ily detectable from looking just at the content, -it should not be easily removable by a 
hacker, ~ it should not affect content preparation. 



solution is based on the recognition that a message for the purpose of copy protection may be 
transmitted by the deliberately encrypting packs following a certain pattern, Something like 
10 pseudo-random noise patterns of unencrypted packs and encrypted packs would be more 

suitaK e. The second proposed solution consists of designing a function operating on the key 
K\-± f(K) 9 where f(K) can be 0 or 1 ./() has to be chosen in such a way that when operating 
on the keys used in the DVD-titles published so far (on the order of 4000 keys), it always 
yields 0. 



Two solutions for this wobble trigger are proposed. The first proposed 
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(Fig. 2) 
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